How to implement secure VPN authentication?

[ags]

I have not setup a VPN server before. My understanding may be incorrect, but from what I've found regarding OEM ASUSWRT firmware, VPN is protected by a username/password authentication only. If this is true, then I don't follow how it is more secure to expose an entire LAN based on username/password (on a known port) than to expose a random port (not 80 or 8080) to access just the router web interface.

I admit that the idea of having access to my LAN is enticing. If I could enable this with more powerful authentication I'd do it. Is there support for signed certificates, similar to what I've used for https? My understanding is that this is the only way to prevent spoofing and ensure that when I think I'm authenticating with my VPN server (router) I am actually communicating with it (encrypted not clear text).

Is this possible with ASUSWRT? Am I on the right track, or is my understanding of how VPN authentication works incorrect?

 

[ags]

Can anyone provide more information, or comment on whether my understanding of how this works is correct?

 

[wouterv]

There is quite some help at first at the router VPN Server page, secondly by following the "VPN Server FAQ link" on the same page, there is also explanation about encryption.
Further let Google be your friend related to VPN and all its ins and outs to determine if that is what you need.

 

[ags]

There is quite some help at first at the router VPN Server page, secondly by following the "VPN Server FAQ link" on the same page, there is also explanation about encryption.
Further let Google be your friend related to VPN and all its ins and outs to determine if that is what you need.

I must be missing it. I read the VPN Server page on the router web interface, and also visited the FAQ link It looks to me like the configuration is just selecting MPPE Encryption and setting client usernames and passwords. I was looking for something more like https, which would use an installed server certificate from a CA to validate that I'm about to connect to my router and not a man in the middle. This is what I'm looking for, unless I've completely missed the point of VPN.

 

[wouterv]

HTTPS is related to access to webpages.
MPPE Encryption is related to VPN access.
The above two are not related to each other, besides it may use the same network infrascructure.

 

[ags]

Yes, I understand - HTTPS is not MPPE.

If I understand correctly, HTTPS provides encrypted data transfer and secure authentication. It's the latter that I'm interested in. By using a digital certificate from a CA a MiTM attack can be detected. HTTPS ensures that you are really connecting to the site you think you are connecting to - for instance (my great concern here) when authenticating with a password.

It's been suggested that I look into enabling VPN as a superior method of administering my router and accessing my entire LAN. Again, as I understand it, the ASUSWRT implementation still uses only a username/password authentication scheme for VPN. If that is true, I would be opening up my entire LAN to a successful hacker, and my only protection is a username/password on a well-known port. I can use secure passwords, but now consider the MiTM attack. There's no way for me to validate that when I connect from a WAN to my router that I've actually connected to it and not an impostor. That's why I'm asking if there is some type of server certificate that could be used, similar to what is used by HTTPS. It looks like Merlin-WRT may support this, but I'm not sure, and I'm hoping that it is also supported by the OEM firmware. I think that other vendors (not ASUS) and firmware may also support this, but again I'm not an expert here - hence the reason why I'm reaching out to this community for guidance.

I hope this is a clear explanation of what I'm trying to do. With so much detailed discussion on this forum (including security issues) I would be surprised if I'm the only one that has though of this, unless some of my understanding is incorrect. If that's so, I'd appreciate being corrected. If there is more information needed to further explain so I can get help here please ask.

Thanks.

 

[wouterv]

The Merlin builds support OpenVPN.
For more info regarding OpenVPN:
https://openvpn.net/index.php/open-source/documentation/howto.html

 

[ags]

So I'm back to the original question(s):

1) Is my understanding correct that some form of certificate is needed (for example, similar to the way they are used for authentication by HTTPS) to prevent MiTM attacks when establishing a VPN connection to the router?

2) Is there support for some mechanism (certificates or other) within the OEM ASUSWRT firmware to prevent MiTM attacks when using VPN?

I'm not a router or networking expert. I can see that the Merlin build is used by many here. I would prefer to use the OEM firmware to try to keep things simple. Thanks.

 

[HarryH3]

I just upgraded from an ancient WRT54G with Tomato, to an ASUS RT-N66R with Merlin. I'm going through the process of setting up OpenVPN myself and ran across this post. You'll find info about creating and using certificates here: https://openvpn.net/index.php/open-source/documentation/howto.html#pki

It certainly isn't as user friendly since easy-rsa was unbundled from OpenVPN. The page linked to in the wiki on openvpn.net doesn't get you quite to the download page. You'll actually find it here: https://github.com/OpenVPN/easy-rsa/releases

I've made it as far as getting the router to acknowledge the OpenVPN connection attempts (you can see the messages under the System Log tab on the router UI) but so far I'm fighting with TLS authentication errors in the router log: (Thus my search here )

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

Hopefully those pointers will get you going in the right direction.

 

[ags]

This link might help you. It appears to be a fairly detailed description of how to get OpenVPN installed on an RT-N66U running Merlin.

http://www.yasti.be/?p=149

Unfortunately, I'm still trying to find out if I need to go to Merlin for this (rather than OEM firmware) and/or if there other options for secure authentication.

Good luck.

 

[HarryH3]

Found my mistake. Listing it here just in case future searches run across my error messages in this post. Protocol was set to UDP on the VPN Details screen. I changed it to TCP and then also edited my .ovpn file and changed udp to tcp and then the magic happened.

Installing the Merlin firmware is as easy as falling off a log. It is based on the stock ASUS firmware. RMerlin just "enhances" it. I read that some of RMerlin's code is also now part of the stock ASUS firmware. I highly recommend the Merlin firmware over the stock code. I'm more used to Tomato, as I used it for years, but I definitely find that the Merlin code has many more useful features.

 

[RMerlin]

Asus's OpenVPN code actually came from my firmware (and I originally took that code from Tomato). Thanks to this, most tutorials designed for Tomato will work just as well on Asuswrt-Merlin and Asuswrt.

Asus added a very user-friendly "enable-and-use" level on top of OpenVPN so you don't need to learn how to manage keys and certificates, but you still have the option of using your own keys and certs.

 

[Lossengwath]

Found my mistake. Listing it here just in case future searches run across my error messages in this post. Protocol was set to UDP on the VPN Details screen. I changed it to TCP and then also edited my .ovpn file and changed udp to tcp and then the magic happened.

Technically speaking, it is not a mistake to try to establish a UDP connection instead of a TCP one. I currently have the same problem but have been unable to find a solution so far (on my mobile devices, my home laptops work perfectly). sinshiva kindly pointed me in the "MTU size" direction but I haven't had much success making changes to it. If only there was more information on the OpenVPN forum...

EDIT: I realized I made an imprecise statement. I still only have this problem on my iPad. On android "OpenVPN for android" (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) does solve the problem (also suggested by sinshiva).

 

[sinshiva]

Technically speaking, it is not a mistake to try to establish a UDP connection instead of a TCP one. I currently have the same problem but have been unable to find a solution so far (on my mobile devices, my home laptops work perfectly). sinshiva kindly pointed me in the "MTU size" direction but I haven't had much success making changes to it. If only there was more information on the OpenVPN forum...

EDIT: I realized I made an imprecise statement. I still only have this problem on my iPad. On android "OpenVPN for android" (https://play.google.com/store/apps/details?id=de.blinkt.openvpn) does solve the problem (also suggested by sinshiva).

did you try adding the following to the to the 'Custom configuration' field?

tun-mtu 1400
fragment 1396
mssfix

i also added this to my client profiles, but i think it's more a server side option. setting the MTU seems more important for Apple products, at least. they wouldn't properly connect without being set

 

[Lossengwath]

The first time I tried, I didn't use mssfix. I just tried again using the commands you suggested but regretfully it didn't work either.

Placing those three directives on both sides, I got a warning on the client side stating that I cannot use the 'fragment' directive.

---- OpenVPN Start ----
EVENT: CORE_THREAD_ACTIVE
EVENT: CORE_THREAD_ERROR
info='option_error: sorry, 'fragment' directive is not supported, nor is connecting to a server that uses 'fragment' directive'
EVENT: CORE_THREAD_INACTIVE

And if I remove 'fragment', I get an error on the server side

WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
openvpn[3640]: 192.168.2.105:43056 TLS: Initial packet from [AF_INET]192.168.2.105:43056, sid=xxxx xxxx
openvpn[3640]: 192.168.2.105:42532 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

And if I go back to 1500 on the MTU, I get right back to the starting point.


On the other hand, yesterday I re-read (for the nth-time) the OpenVPN how-to and they do have a small section on the FAQ, that I somehow skipped the previous times, about this type of problem.

The connection stalls on startup when using a proto udp configuration, the server log file shows this line:

TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxx
however the client log does not show an equivalent line.

Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.

How on earth is one supposed to change the firewall on an Android or iOS device??? Well, there is an app available for Android called Droidwall, but obviously the device must be rooted. I don't even know if such an option exists on iOS.

 

[sinshiva]

my friend had trouble using openvpn on unrooted apple devices iirc. no firewall thing was needed though. this was connecting to MY openvpn server.

an aside, do you have these in your client config;
tls-client
remote-cert-tls server

and this in your server 'custom' field;
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

and server set for bi-directional HMAC?

easier tha one-way imo

 

[Lossengwath]

To be honest, I haven't. Even though most of the sample configs I've seen include tls-auth, I saw this as an extra step to take after getting the most basic configuration working. Nevertheless, it seems I should be aiming at installing openvpn through macports and creating the tls-auth keys now.

Currently, these are my configuration files:

Server side:

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

Client Side:

client
dev tun
proto udp
remote xxxxx.asuscomm.com 1194
float
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
ns-cert-type server
resolv-retry infinite
nobind

iptables:

#!/bin/sh
iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -i tun21 -j ACCEPT
iptables -I FORWARD 2 -i tun21 -j ACCEPT

EDIT: As a clarification, I used the easy-rsa found in the Tunnelblick OpenVPN Client to create my own CA, keys and certs.

 

[Lossengwath]

Well, I definitively didn't know that by using Extra HMAC authorization, the router would automatically create the key. That's very cool.

Regretfully, the suggested changes didn't work out. In fact, I also lost connectivity through my laptops. If I try to connect using my laptop, i get this message on the server side:

Mar 10 19:36:12 openvpn[6978]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]192.168.2.102:55082

If I try to connect using any of my mobile devices and OpenVPN Connect client, I get:

Mar 10 19:41:32 openvpn[6978]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Mar 10 19:41:32 openvpn[6978]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.2.106:62266

Client config files:

client
dev tun
proto udp
remote xxxx.asuscomm.com 1194
float
user nobody
group nobody
cipher AES-256-CBC
comp-lzo adaptive
tls-client
remote-cert-tls server
nobind

ns-cert-type server

persist-key
persist-tun

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>

Server config file:

# Automatically generated configuration
daemon
server 10.8.0.0 255.255.255.0
proto udp
port 1194
dev tun21
cipher AES-256-CBC
comp-lzo adaptive
keepalive 15 60
verb 3
tls-auth static.key
ca ca.crt
dh dh.pem
cert server.crt
key server.key
status-version 2
status status

# Custom Configuration
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

As a side note, before activating the bidirectional HMAC authorization, my laptop would normally connect (including the directives you suggested). And the static.key content is the same for the server and the client.

 

[Lossengwath]

After I don't know how many hours of trying to figure out why the OpenVPN Connect client doesn't work on UDP but does work on TCP, I am just going to leave it there. I only have one device that will have to bear with the disadvantages of using the TCP protocol.

sinshiva, thank you so much for trying to help me. I truly appreciate it.

 

[ags]

What is the disadvantage of TCP vs UDP (latency)?

I'm still hoping to configure OpenVPN on ASUSWRT. A quick review of the tutorials linked in other replies has me wondering how all this configuration is done - I see nothing remotely like this in the web GUI. Is this done with ssh and editing config files with vi?